I have a regex if statement that includes brackets:
if [prog] =~ /^openvpn[[0-9]*]$/ {
grok {
match => [ "message", "%{IP:remote_ip}:%{POSINT:remote_port} \[%{USERNAME:username}\] %{GREEDYDATA:event}"]
}
}
This doesn't match on "openvpn[58567]" despite the pattern being valid.
I tried escaping the brackets without luck.
Would appreciate any help -- sure it'll be quick!
if [prog] =~ /^openvpn\[[0-9]*\]$/ {
or
if [prog] =~ /^openvpn\[\d*\]$/ {Thanks! I tried your first answer before and thought it didn't work -- it does.
Is there formal documentation as to which characters need special treatment in grok?
I did try to look so please forgive me if I missed something.
Is there formal documentation as to which characters need special treatment in grok?
Grok expressions are regular expressions with some extra %{PATTERN:fieldname} sugar on top so any regular expression reference will do.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.